CMS WEB-BROKER PARTICIPATION REQUIREMENTS COMPLIANCE

Centers for Medicare
&
Medicaid Services Center for Consumer Information and Insurance Oversight (CCIIO) requires all Web-brokers to comply with the new requirements for the web-brokers program on or after January 1, 2020.

Web-brokers must demonstrate operational readiness and compliance with applicable requirements.

CMS WEB-BROKER PARTICIPATION COMPLIANCE

Deliver a unified view of cyber risk and vulnerabilities across your organization through risk-focused tools and procedures. Gauge the potential impact of risk-based decision-making on the mission. Reduce time spent obtaining CMS and other federal agency authorizations with reciprocal acceptance. Increase the likelihood of executing future projects on time and on budget by proactively building security into systems. Enhance efficiency through information assurance control inheritance and reuse.

 CMS monitors compliance with requirements to have appropriate licensure where you plan to actively sell Marketplace coverage, and your must meet CMS monitors, compliance and security guidelines as a Web Agent or Broker. CyberSecOp will perform CMS compliance reviews and security assessment to aid in the development of a security program by creating a remediation roadmap.

CMS WEB-BROKER PARTICIPATION REQUIREMENTS

All agents and brokers must execute and comply with the applicable Agent and Broker requirements to participate:

  • Agent Broker General Agreement for Individual Market Federally-facilitated Exchanges and the State-based Exchanges on the Federal Platform (General Agreement). All agents and brokers who wish to assist consumers in the Individual Marketplace must electronically execute this General Agreement.

  • Agreement between Agent or Broker and CMS for Individual Market Federally-facilitated Exchanges and the State-based Exchanges on the Federal Platform (Individual Privacy and Security Agreement). All agents and brokers who wish to assist consumers in the Individual Marketplace must electronically execute this Privacy and Security Agreement.

  • Agreement between Agent or Broker and CMS for the Small Business Health Options Programs of the Federally-facilitated Exchanges and State-based Exchanges on the Federal Platform (SHOP Privacy and Security Agreement). All agents and brokers who wish to assist qualified employers in the SHOP must electronically execute this Privacy and Security Agreement.

CMS-agent- broker-requirements-services.jpg

CMS Agents and brokers who wish to assist consumers

Web-brokers Participating Compliance Program and Services. Medicare Marketing Rediness

CMS NIST Consulting Services with CyberSecOP

CMS Web-brokers Participating Compliance Services

No need worry CyberSecOp provide all the services needed to get you in compliance with CMS: Policy Development, Security Assessment, Annual Penetration Testing, Security and Privacy Assessment Report, POA&M if its assessor identifies any privacy and security compliance, and Non-Exchange Entity System Security and Privacy Plan

Exhibit 2. CMS Required Privacy and Security Documentation

  • The report should contain a summary of findings that includes ALL findings from the assessment to include documentation reviews, control testing, scanning, penetration testing, interview(s), etc.

    • Explain if and how findings are consolidated.

    • Ensure risk level determination is properly calculated, especially when weaknesses are identified as part of the Center for Internet Security (CIS) Top 20 and/or OWASP Top 10.

  • Only one final report should be submitted to CMS. Unless CMS has provided comments and/or requested edits to the original submission and requested a revised resubmission, no additional reports should be submitted.

  • Assessment options: The report may be prepared by:

    • A third-party auditor (recommended); or – Internal staff, provided that:

    • They have appropriate qualifications to evaluate security and privacy controls. The internal staff should be familiar with National Institute of Standards and Technology (NIST) standards, the Health Insurance Portability and Accountability Act (HIPAA), and other applicable federal privacy and cybersecurity regulations and guidance. In addition, the internal staff should be capable of performing penetration testing and vulnerability scans.

    • They are not involved in the developmental, operational, and/or management chain associated with the system that is the subject of the assessment.

  • CMS- Alternatively, the web-broker may reference existing audit results that address some or all of the assessment’s requirements, assuming the existing audit results were produced by a third-party auditor or internal staff in conformity with the requirements described above.

    • If existing audit reports do not address all required elements of the assessment, the remaining elements must be addressed utilizing one of the first two assessment options

CMS-agent-broker-requirements-consulting-services.jpg

Vulnerability Assessments

CyberSecOp utilize a unified risk based approach based on NIST, OWASP and ISO to accomplish comprehensive vulnerability testing. This aid us in identifying gaps in multiple type of technology and environment to the PHI data, which is protected by CMS.

Penetration Testing

Our security team will simulate real-world attacks to assess the security control protecting external applications, systems, network, and mobile applications vulnerabilities.

Assess Risk to Organizational Operations

CMS periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of PHI.

CMS Cyber Incident Reporting

If contractors experience a cyber incident that impacts PHI, then they must do the following:

  • The health plan should deploy fraud, waste and abuse programs aimed at prevention, identification, investigation and resolution of risks related to potential fraud, waste and abuse including continuous monitoring capabilities aimed at early detection of incident

  • Perform an analysis and gather evidence to determine if specific PHI was compromised on contractor computers or servers.

  • Rapidly report (within 72 hours) the discovery of the cyber incident. A medium-assurance certificate will be required to report the incident.

CMS Gap ANALYSIS

CyberSecOP’s security team will assess current compliance state and identify PHI exposure and potential liability. Findings will use to identify gaps in the security posture, verification of current policies and procedures to safeguard PHA, and a detailed roadmap and recommended measures for NIST-800 compliance.

  • Review 24/7 monitoring and maintenance of your systems

  • Review business continuity plan in times of disaster

Enterprise IT Infrastructure

Assessments infrastructure control, to identify gaps in relation to overall security of system and in compliance with NIST-800, Below are some of the more commonly practiced NIST-800 that CyberSecOp Secure has experience in assisting with implementation, design, authorization and configuration:

  • Lines of communication established within the health plan should ensure confidentiality between the compliance officer and the compliance committee, and allow for all compliance issues to be reported anonymously and in good faith.

  • A system for monitoring and auditing should include both internal and external audits of the effectiveness of the compliance program, including first tier entities.

  • The enforcement of well publicized policies and procedures should include a system for promptly responding to compliance issues as they are identified. Health plans should establish procedures for voluntarily self-reporting potential fraud or misconduct. Issues should be identified through a series of self-assessments within the health plan, as well as through internal and external audits.

security-heath-records-phi-pii-web-agent-broker-services

Healthcare Cyberattacks -

CMS

The IDC insight group predicts that 1in 3 health-care recipients will be a victim of a data breach in 2016. To date, 89% of health-care organizations have had a data breach and 79% have reported multiple attacks. Most compromised data are medical records, billing, and insurance information.

CMS Agent and Broker Compliance Implement System Security Plans

Develop, document, periodically update, and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems based on CMS NIST requements.

3.8 Media Protection

3.9 Personnel Security

3.10 Physical Protection

3.11 Risk Assessment

3.12 Security Assessment

3.13 Systems and Communications

3.14 Systems and Information Integrity

3.1 Access Control

3.2 Awareness and Training

3.3 Audit and Accountability

3.4 Configuration Management

3.5 Identification and Authentication

3.6 Incident Response

3.7 Maintenance

CMS NIST Security Program Overview 

CMS Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. 

CMS System Security Plan: NIST-800 requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.

CMS Security Controls: NIST-800 outlines an extensive catalog of suggested security controls for NIST compliance. NIST does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.

CMS Risk Assessments: Risk assessments are a key element of CMS NIST’s information security requirements. NIST-800 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.

CMS Certification and Accreditation: NIST requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve NIST Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.